It's interesting to see a social engineering proof of concept released in this way.
When my company conducts social engineering assessments, whether physical or remote, it always surprises the client to see how high their rates of failure are. We rarely hit below 40% of users willing to change their passwords for us on the phone, and usually more than half of the employees we email an arbitrary URL will enter their password on a cloned webmail portal.
Most security advisories we see are for software vulnerabilities, but it's interesting that "Ximer," the user who posted the linked forum advisory, seemed to map out exactly the information needed to conduct this attack.
Hopefully Skype takes swift action to require more identity verification so this attack doesn't become pervasive... but at the same time, it should be no surprise that "social engineering works."
> it should be no surprise that "social engineering works."
Is it really social engineering if the employees followed the Microsoft policy, however crappy it might be? I always thought social engineering is making someone break the policy by psychological tricks.
> Is it really social engineering if the employees followed the Microsoft policy
I'd say that the attack vector is still social engineering; the difference here is that the result is not based in policy failure.
Normally we recommend that clients require their employees to attend security awareness training, in order for them to understand social engineering risks and remind them to follow the correct policies that are put in place.
In this instance, however, there is no policy being broken. My summation of the issue would be that it is a policy failure being exploited by a social engineering attack vector.
If it's exploiting human factor vulnerability as opposed to software/hardware vulnerability, it is social engineering. It's like saying "this is not a vulnerability because our software does not have a buffer overflow - it just allows anybody who enters admin/admin as login/password to have full access". It's only worse if policies are so broken that you don't even have to violate them to get unauthorized access.
I love it how every computer criminal now calls himself "security researcher". Muggers should start calling themselves "personal security researchers" and burglars should be "house security researchers".
Careful. This sentiment has also been used in the other direction, to suggest that people who inspect software for vulnerabilities, including software they've downloaded and run or purchased on hardware, are themselves epsilon from criminals.
There is a world of difference between downloading and testing for bugs and selling "cheap DDoS, bypass DDoS protection". One does not need to be extra careful to see one apart from the other, former is research, latter is lowlife criminal.
One person could do both, but usually people that excel at one rarely also excel at another. There are some "mad scientists", but usually if a person is selling DDoS his "research" benefits only one person - himself, and harms all the rest.
I think the legit researchers should be the first ones to take an effort to disassociate themselves from the types like this one. And not only by passively reminding "other types exist too" but by actively excluding criminals from their midst and being intolerant to such behavior. Offtopic for this discussion, I presume, but if we already ventured there...
Is it like saying if you rob somebody yesterday and don't rob anybody today, you're not a criminal anymore - you just wore a "criminal hat" yesterday? I don't think it works this way.
I manage a school network and despite our ISP provided "DDOS Protected" IPs a single student with a spare $12 was able to keep us down for a week using that service.
Paying couple of bucks to a criminal to wreak havoc on school network is not really "clever". Not more "clever" than giving some drug addict money to beat up a teacher that was too strict, on his opinion or pooping in a bag, leaving it on a teacher's porch, lighting it on fire and ringing the bell..
This is plain and simple vandalism, and should be treated as such, not congratulating the delinquent-in-making on being clever. If he wanted to be clever, he could build some useful software for the school and opensource it so other schools could use it too. That would be clever, this one is just malicious.
I think you hidden your point a little too well. If you tried to say that kids are not adults, I agree, but that makes telling them when they are wrong even more important, instead of encouraging them to be "clever" in such ways. When they make a mistake, it should be recognized as such, not treated as "yet another wonderful expression of their creativity and free spirit".
Kids are going to make trouble. Sure trouble is trouble, and we can sit here and decry how horrible it is, but it's their nature.
Kids need structure, they won't follow it. Sure that's a waste, and we can sit here and decry how short sighted it is, but it's their nature.
Some kids are more rambunctious than others. Sure that needs to be addressed, and we can sit here and decry how difficult that kid is making it on everyone, but it's their nature.
Does there ever come a point where we can just appreciate nature? I don't have to deal with the little shit, so I'm fine just watching the flowers bloom.
Someone hacked my Skype account back last summer and took at a subscription to Guatemala.
Skype picked it up and locked me out of my account but after that were quite frankly F All use: wouldn't refund the money, wouldn't give me any details as to where my account had been accessed from (citing privacy concerns!!!)
Furthermore they even left the fraudulent subscription in place until I cancelled it.
Don't leave money in a Skype account or hook it up to a credit card
Similar story: Last summer I realized that one guy from India was using my Skype account with me at the same time. He was making a lot of phone calls to his girlfriend, and Skype was charging my bank account all the time. I noticed once he forgot removing the history before he logs out.
Not sure I trust this. A thread on a forum, where the first 20 posts are just two (sockpuppet?) users talking to each other in full support of each other.
And then he keeps saying "scammers have stolen hundreds of dollars from friends of mine through Skype." And "I've lost the trust of my customers". And the guy runs a DDOS service as his business.
If you hire someone to do DDOS for you, do you trust him?
If this is true, I'm glad it reached the front page of HN. Given all the popular services out there which we use with just enough trust to put our privacy in jeopardy, I'm glad a hole is being exposed in such a big service. Hopefully Skype changes their verification practices.
Skype is switching to use Microsoft Accounts, which have security questions and 2-factor auth. This vulnerability is only for people who haven't switched yet.
Haven't switched? You say that like Skype is actually forcing or even suggesting users switch. I just logged into my account. Aside from a 'Microsoft Accounts' button on the login screen, there isn't a single thing about MS Accounts let alone "you need to change your account!"
So, I'm going to wager this vulnerability affects about 99.99% of the users.
I've no idea if it's more like 10% of 90%, but I'm sure a lot lower than 99.99%.
People who used both Skype and MSN (Live Messenger) were shifted from MSN to Skype and now use their Microsoft account to connect to both lists of contacts in Skype. So it's not just for the geeky few who have set this up.
Second thought: last I checked, I could log-in to Skype with both my old username and my Microsoft account, but my Skype username didn't allow me to view MSN contacts. So if that's still the case, then I guess this would affect 100% of people, even those who have made the switch.
I thought it was just merging the accounts? I login with my skype name, and can talk with all my MSN contacts there. All the 'switch' does is add your MSN contacts, and give you a second way to log in. As far as I can tell, this affects everybody.
TL;DR: Social engineering attacks work. I was able to reset my Ameritrade account password by giving the support person the name of one of the stocks in my portfolio (along with some other basic identifying info).
They work against the service company you mean. This is not a normal vector. The company is supposed to be smart enough to not divulge their customer's accounts through social engineering.
You should never accept the caller id of a phone number that called you as identity verification. It is trivial for anyone with a VoIP line to set caller id to whatever they wish.
This makes sense why American Express automated prompt keeps telling me that "I can see the number you are calling from matches the number on your record" (or something like that). My first thought was how trivial it is to spoof the system. Apparently, they are more clever than I am.
In an unrelated incident, I was talking to T-Mobile when the phone got cut off. They called me back (which was amazing customer service) until the first thing he said was he needed to authenticate I was me. So I was supposed to give him the last four digits of my social. I tried to reason with him why it was a bad idea but ended up thanking him and telling him that I'd call in at a later time.
I think there's a conflict of interest. If you're telling the truth, and they lock you out of your account, then they lose a customer. If an attacker is trying to steal your identity, you suffer much more than Skype.
I can't see any conflict of interests. Skype would lose x>1 customers mistakenly locking out one users who blogs about it. When in doubt you can tell the user the identity verification test didn't go well and ask for extra information about the account, for example checking the IPs.
There's plenty of ways people can lose access to the attached email address: signed up with a work email, then left the company; signed up with an ISP email, then switched ISPs; email provider went out of business; Google banned your account. It's useful to have a fallback for those cases.
With little amount of information Skype requires when signing up, I think fallback option is just not feasible. If you left the company or email provider out of business - and you forgot to switch your email AND THEN you forgot your password??!
Just sign up for new Skype account...
Something similar happened to a friend of mine 3 months ago, however I didn't have this much detail.
What I did know was that the person who took over his (my friend's) account didn't have his laptop or PC hacked but the hijacker used Skype support instead and involved, what I'm assuming, the same information that the OP's thread mentions.
Interestingly, there's no link to what the moderator was mentioning here :
"Dear All,
The post in question was deleted from this thread as the information was duplicate-posted elsewhere. The post did not directly contribute to the topic.
This thread has been escalated to those to whom I report.
Regards,
Elaine
Community Moderator"
I'm curious to find where that "elsewhere" is. I've never seen a legitimate case of posts being deleted because content was "duplicate-posted elsewhere." At the most, the thread will get locked with a link to wherever "elsewhere" resides.
Haha! Good point. This would explain why they're trying to limit it to "elsewhere", presumably off their forums altogether.
Speaking of alternatives, I found Jitsi to be pretty good ( https://jitsi.org/ ) and best of all, it's Open Source. A friend of mine uses Viber although its has had security hiccups lately.
Hell ! Even a bloody e-mail-reset-password is more safe then THIS!
Good think I didn't decide to switch from MSN to Skype yet (and drop both) ... but now I decided.
"because Skype support didn't verify if the person owned the account or not, just wanted those 3 points mentioned above"
So, what? Is the author expecting Skype to just have some "does this person own the account" crystal ball? What do they want? If it's security questions, I don't consider those much of a solution because the questions tend to be very poor on the ratio of "things I can remember specifically" to "things people can't look up about me".
When my company conducts social engineering assessments, whether physical or remote, it always surprises the client to see how high their rates of failure are. We rarely hit below 40% of users willing to change their passwords for us on the phone, and usually more than half of the employees we email an arbitrary URL will enter their password on a cloned webmail portal.
Most security advisories we see are for software vulnerabilities, but it's interesting that "Ximer," the user who posted the linked forum advisory, seemed to map out exactly the information needed to conduct this attack.
Hopefully Skype takes swift action to require more identity verification so this attack doesn't become pervasive... but at the same time, it should be no surprise that "social engineering works."